Skip to content

Commit

Permalink
revise vendor advice
Browse files Browse the repository at this point in the history
  • Loading branch information
ahouseholder committed Apr 19, 2024
1 parent e887305 commit 0d8af0f
Showing 1 changed file with 10 additions and 32 deletions.
42 changes: 10 additions & 32 deletions docs/tutorials/coord_certcc/vendor.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,25 +12,12 @@ This page provides an overview of the process for working with the CERT/CC to ad

{% include-markdown "../../_includes/_certcc_policy_tip.md" heading-offset=1 %}

{== TODO review for accuracy given VINCE ==}
After reviewing the vulnerability report submitted, you can respond by
sending an email to [cert@cert.org.](mailto:cert@cert.org).
When doing so, be sure to include your VU# in the subject line, so that
our automated system can route your response to the analyst handling
your case. If you forget to add the VU# to the subject line of your
response email, our response may be delayed significantly.

{== TODO review for accuracy given VINCE ==}
We recommend encrypting your response email to
[cert@cert.org](mailto:cert@cert.org) with the CERT/CC\'s [PGP public key], in order to
maintain privacy until the public disclosure date. For more information
on using PGP or obtaining the CERT/CC's PGP key, please see [Sending
Sensitive Information](http://www.cert.org/contact/sensitive-information.cfm).

{== TODO review for accuracy given VINCE ==}
To fully communicate with the CERT/CC in a secure manner, we need your
organization's most up-to-date contact information, including your own
PGP public key. To update your information with us, please see our
When you receive a notification from the CERT/CC about a vulnerability in your product,
you should review the information provided and determine whether the report is accurate.
To do so, you can log into the
[Vulnerability Information and Coordination Environment (VINCE)](https://www.kb.cert.org/vince/) to view the report.

To learn more about how to coordinate with the CERT/CC on VINCE, please see our
[VINCE FAQ](https://vuls.cert.org/confluence/display/VIN/Frequently+Asked+Questions).

!!! tip "What does the CERT/CC look for in a response?"
Expand All @@ -47,13 +34,8 @@ PGP public key. To update your information with us, please see our
- Do you need any further information from the CERT/CC or the reporter
in order to address this issue?

{== TODO review for accuracy given VINCE ==}
If you require extra information from the CERT/CC before a determination
can be made, please feel free to contact us. The best way to do so is to
send an email to [cert@cert.org](mailto:cert@cert.org)
with your VU# in the subject line, asking for more
information. You may also call our phone number during business hours
and an analyst will follow up with your message.
can be made, please feel free to reply within VINCE or by email.

We may also be able to arrange conference calls with analysts, or use
other communication methods if requested.
Expand All @@ -71,12 +53,8 @@ to disclose the vulnerability and information on addressing the vulnerability if
or information you wish; we will copy this statement verbatim into our
published Vulnerability Note.

{== TODO review for accuracy given VINCE ==}
To send a Vendor Statement, please email
us at [cert@cert.org](mailto:cert@cert.org) with the VU# of the vulnerability in the subject line,
and include you statement in the body of the email. This email should be
PGP signed by your organization's key so we may verify its
authenticity.
Vendor statements can be added directly to a case within VINCE.
See [VINCE FAQ](https://vuls.cert.org/confluence/display/VIN/Frequently+Asked+Questions) for more.

## Multiparty Coordination

Expand All @@ -93,6 +71,6 @@ working to address it.
just your own (for example, you find a vulnerability in a widely-used
open source library), please feel free to reach out to us to coordinate
with all vendors at once.
{== TODO review for accuracy given VINCE ==}

If desired, we can keep your organization anonymous when coordinating with other
vendors.

0 comments on commit 0d8af0f

Please sign in to comment.